Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 20 November 2020
Black Arrow Cyber Threat Briefing 20 November 2020
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Cyber crime is 'a constant threat' to SMEs
Criminals are diversifying and growing more dangerous, while SMEs remain complacent and mostly oblivious to the threats.
With a quarter of small and medium-sized enterprises (SME) falling victim to a cyberattack in the last 12 months, the threat towards these organizations is constant. This is according to a new report from Direct Line – Business, which claims that businesses aren't doing all they can to stay safe.
The report states that, if a cyber attack were to occur, many organisations would find themselves in a seriously dangerous position given they hold less than $13,000 in cash reserves. Besides financial damage, many should also expect damaged client and customer relationships due to eroded trust.
With cybercriminals diversifying into different methods of attack, SMEs need to stay vigilant on multiple fronts. Phishing is still the most popular weapon for criminals, the report states, but malware and ransomware, as well as DDoS attacks, are also notable mentions.
https://www.itproportal.com/features/cybercrime-is-a-constant-threat-to-smes/
The most common passwords of 2020 are atrocious
Bottom line: Choosing secure passwords has never been humanity’s strong suit and let’s face it, it’s never going to be. People simply have too many accounts to protect these days, leading to poor practices such as simplifying passwords to make them easier to remember and reusing the same password across multiple accounts.
https://www.techspot.com/news/87657-most-common-passwords-2020-atrocious.html#Share
Why ransomware is still so successful: Over a quarter of victims pay the ransom
Over a quarter of organisations that fall victim to ransomware attacks opt to pay the ransom as they feel as if they have no other option than to give into the demands of cyber criminals – and the average ransom amount is now more than $1 million.
Cyber crime is maturing. Here are 6 ways organisations can keep up
In 2020, the world has experienced many challenges. Among them, hastened digitalisation has brought new opportunities but also new risks. According to the World Economic Forum Global Risks Report 2020, cyber attacks rank first among global human-caused risks and RiskIQ predicts that by 2021 cyber crime will cost the world $11.4 million each minute.
https://www.weforum.org/agenda/2020/11/how-to-protect-companies-from-cybercrime/
Ransomware-as-a-service: The pandemic within a pandemic
Ransomware is a massive problem. But you already knew that.
Technical novices, along with seasoned cyber security professionals, have witnessed over the past year a slew of ransomware events that have devastated enterprises around the world. Even those outside of cyber security are now familiar with the concept: criminals behind a keyboard have found a way into an organization’s system, prevented anyone from actually using it by locking it up, and won’t let anyone resume normal activity until the organization pays a hefty fee.
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
CISOs say a distributed workforce has critically increased security concerns
73% of security and IT executives are concerned about new vulnerabilities and risks introduced by the distributed workforce, Skybox Security reveals.
The report also uncovered an alarming disconnect between confidence in security posture and increased cyberattacks during the global pandemic.
https://www.helpnetsecurity.com/2020/11/18/distributed-workforce-security/
Threats
Ransomware
Capcom confirms Ragnar Locker ransomware attack, data exposure
Capcom has confirmed that a recent security incident was due to a Ragnar Locker ransomware infection, potentially leading to the exposure of customer records.
This week, the Japanese gaming giant confirmed that the company had fallen prey to "customized ransomware" which gave attackers unauthorised access to its network -- as well as the data stored on Capcom Group systems.
Ransomware attack forces web hosting provider Managed.com to take servers offline
One of the biggest providers of managed web hosting solutions, has taken down all its servers in order to deal with a ransomware attack.
The ransomware impacted the company's public facing web hosting systems, resulting in some customer sites having their data encrypted.
The incident only impacted a limited number of customer sites, which the company said it immediately took offline.
https://www.zdnet.com/article/web-hosting-provider-managed-shuts-down-after-ransomware-attack/
Phishing
Office 365 phishing campaign detects sandboxes to evade detection
Microsoft is tracking an ongoing Office 365 phishing campaign that makes use of several methods to evade automated analysis in attacks against enterprise targets.
"We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defence evasion and social engineering," Microsoft said.
"The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc."
Malware
Adult site users targeted with ZLoader malware via fake Java update
A malware campaign ongoing since the beginning of the year has recently changed tactics, switching from exploit kits to social engineering to target adult content consumers.
The operators use an old trick to distribute a variant of ZLoader, a banking trojan that made a comeback earlier this year after an absence of almost two years, now used as an info stealer.
Lazarus malware strikes South Korean supply chains
Lazarus malware has been tracked in new campaigns against South Korean supply chains, made possible through stolen security certificates.
Cyber security researchers reported the abuse of the certificates, stolen from two separate, legitimate South Korean companies.
https://www.zdnet.com/article/lazarus-malware-strikes-south-korean-supply-chains/
Malware activity spikes 128%, Office document phishing skyrockets
The report demonstrates threat actors becoming even more ruthless. Throughout Q3, hackers shifted focus from home networks to overburdened public entities, including the education sector and the Election Assistance Commission (EAC). Malware campaigns, like Emotet, utilized these events as phishing lure themes to assist in delivery.
https://www.helpnetsecurity.com/2020/11/13/malware-activity-q3-2020/
Cloud
Attackers can abuse a misconfigured IAM role across 16 Amazon services
Researchers at Palo Alto’s Unit 42 have confirmed that they have compromised a customer’s AWS cloud account with thousands of workloads using a misconfigured identity and access management (IAM) role.
Vulnerabilities
More than 245,000 Windows systems still remain vulnerable to BlueKeep RDP bug
A year and a half after Microsoft disclosed the BlueKeep vulnerability impacting the Windows RDP service, more than 245,000 Windows systems still remain unpatched and vulnerable to attacks.
The number represents around 25% of the 950,000 systems that were initially discovered to be vulnerable to BlueKeep attacks during a first scan in May 2019.
Windows Kerberos authentication breaks due to security updates
Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos authentication problems after installing security updates released to address CVE-2020-17049 during this month's Patch Tuesday, on November 10.
Cisco Patches Critical Flaw After PoC Exploit Code Release
A critical path-traversal flaw exists in Cisco Security Manager that lays bare sensitive information to remote, unauthenticated attackers.
A day after proof-of-concept (PoC) exploit code was published for a critical flaw in Cisco Security Manager, Cisco has hurried out a patch.
https://threatpost.com/critical-cisco-flaw-sensitive-data/161305/
Widespread Scans Underway for RCE Bugs in WordPress Websites
WordPress websites using buggy Epsilon Framework themes are being hunted by hackers.
Millions of malicious scans are rolling across the internet, looking for known vulnerabilities in the Epsilon Framework for building WordPress themes, according to researchers.
According to the Wordfence Threat Intelligence team, more than 7.5 million probes targeting these vulnerabilities have been observed, against more than 1.5 million WordPress sites, just since Tuesday.
https://threatpost.com/widespread-scans-rce-bugs-wordpress-websites/161374/
Webex fixed some seriously spooky security flaws
Cisco has patched several troubling security vulnerabilities in its Webex video conferencing service.
The flaws in the video conferencing software were flagged. Researchers took a deeper look at the collaboration tools being used for day-to-day work to better understand how they could impact sensitive meetings now being held virtually. During its investigation, the company's security researchers discovered three vulnerabilities in Webex.
https://www.techradar.com/news/cisco-webex-had-some-very-spooky-security-flaws
Data Breaches
Animal Jam was hacked, and data stolen; here’s what parents need to know
WildWorks, the gaming company that makes the popular kids game Animal Jam, has confirmed a data breach.
Animal Jam is one of the most popular games for kids, ranking in the top five games in the 9-11 age category in Apple’s App Store in the U.S., according to data provided by App Annie. But while no data breach is ever good news, WildWorks has been more forthcoming about the incident than most companies would be, making it easier for parents to protect both their information and their kids’ data.
https://techcrunch.com/2020/11/16/animal-jam-data-breach/
Crown Prosecution Service guilty of ‘serious’ data breaches
Prosecutors are routinely guilty of “serious” data breaches that can endanger the public by disclosing addresses of people who report crimes, a watchdog has revealed.
Independent assessors of the Crown Prosecution Service found that prosecutors in England and Wales were responsible for “a significant number of data security breaches”.
Privacy
MacOS Big Sur reveals Apple secretly hates your VPN and firewall
If you're using a Mac VPN and recently updated your device to Big Sur, your privacy may be at risk as it was discovered that Apple apps are able to bypass both firewalls and VPN services in the company's latest version of macOS.
Twitter user mxswd first spotted the issue back in October and provided more details in a tweet which reads: “Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running”.
https://www.techradar.com/uk/news/macos-big-sur-reveals-apple-secretly-hates-your-vpn-and-firewall
Server failure unearths massive macOS tracking plans
More serious doubts have been raised about Apple's snooping tactics following fresh revelations about the company's macOS software. We’ve already reported how apps in the latest release of macOS can bypass firewalls and VPNs and how the release was bricking some older MacBook Pro machines.
https://www.techradar.com/news/server-failure-unearths-massive-macos-tracking-plans
Employee surveillance software demand increased as workers transitioned to home working
As people hunkered down to work from home during COVID-19, companies turned to employee surveillance software to track their staff.
What does the rise of intrusive tools such as employee surveillance software mean for workers at home?
A new study shows that the demand for employee surveillance software was up 55% in June 2020 compared to the pre-pandemic average. From webcam access to random screenshot monitoring, these surveillance software products can record almost everything an employee does on their computer.
Los Angeles police ban facial recognition software and launch review after officers accused of unauthorized use
The Los Angeles police department (LAPD) has banned commercial facial recognition software and launched a review after 25 officers were accused of using it unofficially to try to identify people.
https://www.theregister.com/2020/11/19/lapd_facial_recogntion/
Nation State Actors
More than 200 systems infected by new Chinese APT 'FunnyDream'
A new Chinese state-sponsored hacking group (also known as an APT) has infected more than 200 systems across Southeast Asia with malware over the past two years.
The malware infections are part of a widespread cyber-espionage campaign carried out by a group named FunnyDream, according to a new report published today by security firm Bitdefender.
The attacks have primarily targeted Southeast Asian governments. While Bitdefender has not named any victim countries, a report published earlier this spring by fellow security firm Kaspersky Lab has identified FunnyDream targets in Malaysia, Taiwan, and the Philippines, with the most victims being located in Vietnam.
https://www.zdnet.com/article/more-than-200-systems-infected-by-new-chinese-apt-funnydream/
Massive, China-state-funded hack hits companies around the world, report says
Attacks are linked to Cicada, a group believed to be funded by the Chinese state.
Researchers have uncovered a massive hacking campaign that’s using sophisticated tools and techniques to compromise the networks of companies around the world.
The hackers, most likely from a well-known group that’s funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon, the name given to a Windows server vulnerability, patched in August, that can give attackers instant administrator privileges on vulnerable systems.
Other News
Hackers are leaning more heavily on cloud resources
Underground cloud services may seem like an oxymoron, but they are quite real, and criminals are using them to speed up attacks and leave very little room for compromised businesses to react.
This is according to a new report from cybersecurity firm Trend Micro, which found terabytes of internal business data and logins - including for Google, Amazon and PayPal - for sale on the dark web.
https://www.itproportal.com/news/hackers-are-leaning-more-heavily-on-cloud-resources/
CEOs Will Be Personally Liable for Cyber-Physical Security Incidents by 2024
Digital attack attempts in industrial environments are on the rise. In February 2020, IBM X-Force reported that it had observed a 2,000% increase in the attempts by threat actors to target Industrial Control Systems (ICS) and Operational Technology (OT) assets between 2018 and 2020. This surge eclipsed the total number of attacks against organizations’ industrial environments that had occurred over the previous three years combined.
Reports Published in the Last Week
Sophos 2021 Threat Report: Navigating cybersecurity in an uncertain world
https://nakedsecurity.sophos.com/2020/11/18/sophos-threat-report-2021/
Verizon Releases First Cyber-Espionage Report
https://www.infosecurity-magazine.com/news/verizon-releases-first-cyber/
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing 04 September 2020: CEOs could become personally liable for cyber attacks, DDoS extortion, WordPress flaw exploited, Business Email Compromise now $80k, printers at risk
Cyber Weekly Flash Briefing 04 September 2020: CEOs could soon be personally liable for cyber attacks, DDoS Extorters Demand Ransoms from Firms, Hackers exploiting a critical WordPress flaw, Average Business Email Compromise (BEC) attempts are now $80k, Iran based Pioneer Kitten APT Sells Corporate Network Access, Nearly A Million Printers At Risk Of Attack - Thousands Hacked To Prove It
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
CEOs could soon be personally liable for cyberattacks
Within four years, the majority of CEOs will be held personally responsible for cyberattacks that lead to injury and other physical damage.
This is according to a new report from Gartner, which asserts that liability for cyber-physical security incidents will “pierce the corporate veil to personal liability” for 75 percent of CEOs by 2024.
Cyber-physical systems (CPS) are described as digital systems that interact with the physical world, such as IoT devices or operational technologies (OT).
“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, Research Vice President at Gartner.
“In the US, the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
Why this matters:
CPS attacks with fatalities will incur costs to businesses of more than $50 billion within the next three years, Gartner predicts. Irrespective of the value of human life, businesses are looking at major costs in terms of compensation, litigation, insurance, regulatory fines and reputation loss.
Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them. The more connected CPSs are, the higher the likelihood of an incident occurring.
Read more: https://www.itproportal.com/news/ceos-could-soon-be-personally-liable-for-cyberattacks/
Global DDoS Extorters Demand Ransom from Firms
Security experts are warning of a new global DDoS-related extortion campaign targeting businesses operating in the e-commerce, finance and travel sectors.
Researchers said they had been tracking the threat actors since mid-August, with victims in North America, APAC and EMEA. Emails are typically delivered claiming to come from state-sponsored groups such as Fancy Bear and Lazarus Group, as well as the “Armada Collective.”
The latter group has been linked to similar extortion emails sent in previous years.
The ransom emails threaten to launch DDoS attacks against the recipient organization of over 2Tbps, if payment of anywhere between 10 and 20BTC ($113,000-226,000) is not made. They also threaten to increase the ransom by 10BTC for each deadline missed.
Also included in the messages are the Autonomous System Numbers (ASNs) or IP addresses of servers or services that the group says it will target if their demands are not met.
Why this matters:
DDoS attacks take businesses legitimate online operations offline by flooding them with traffic such that legitimate traffic can’t get through, or they are so swamped with traffic that services can’t cope. Depending on the type of business and how reliant they are on their online presence these types of attacks could prevent firms from operating entirely.
Recipients of the emails were urged not to pay the ransom
Read more: https://www.infosecurity-magazine.com/news/global-ddos-extorters-ransom-notes/
Hackers are exploiting a critical flaw affecting >350,000 WordPress sites
Hackers are actively exploiting a vulnerability that allows them to execute commands and malicious scripts on Websites running File Manager, a WordPress plugin with more than 700,000 active installations, researchers said on Tuesday. Word of the attacks came a few hours after the security flaw was patched.
Why this matters:
Attackers are using the exploit to upload files hidden in an image, which from there provides a convenient interface that allows them to run commands in the directory where the File Manager plugin resides. Hackers may be able to exact more damage by uploading scripts that can carry out actions on other parts of a vulnerable site.
Phishing attacks surge during the pandemic
In yet another example of cyber criminals exploiting world events, the frequency of phishing threats has risen considerably since the start of the pandemic, with companies experiencing an average of 1,185 attacks every month.
New research reveals that more than half (53 percent) of over 300 IT professionals surveyed by Cyber security Insiders say they had witnessed an increase in phishing activity since the start of the COVID-19 pandemic.
Why this matters:
The report also shows that 38 percent of respondents report that a co-worker has fallen victim to an attack within the last year. As a result, 15 percent of organizations are now left spending anywhere from one to four days remediating malicious attacks during what is already a difficult time for many.
Read more: https://betanews.com/2020/09/01/phishing-surges-during-pandemic/
Average Business Email Compromise (BEC) attempts are now $80k, but one group is aiming for $1.27m per attack
BEC scammer groups are growing more brazen. The average sum that a BEC group will try to steal from a targeted company is now around $80,000 per attack, according to an industry report published on Monday.
The number is up from $54,000, the average sum that BEC groups tried to obtain from victims in Q1 2020, as reported by the Anti-Phishing Working Group (APWG), an industry coalition made up of more than 2,200 organizations from the cyber-security industry, government, law enforcement, and NGOs sector.
One of the largest industry group of its kind, the APWG has been releasing quarterly reports on the state of phishing operations since 2004.
Why this matters:
Most of these reports have usually centred on email phishing attacks that focus on stealing login credentials and distributing malware. However, since the mid-2010s, BEC fraud has been slowly taking more and more space in APWG's reports, as BEC fraud has become today's top cybercrime trend.
BEC, or Business Email Compromise (BEC) scams, usually begin with phishing, with an email sent to a company's employee. The end goal is to dupe the employee into paying fake invoices or transferring funds to an account controlled by the attackers.
Iran based Pioneer Kitten APT Sells Corporate Network Access
An APT (Advanced Persistent Threat) group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums.
Pioneer Kitten is a hacker group that specialises in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a blog post earlier this week.
Pioneer Kitten’s work is related to other groups either sponsored or run by the Iranian government, which were previously seen hacking VPNs and planting backdoors in companies around the world.
Why this matters:
The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity. It is also noteworthy to see a group operating on behalf of or closed with a Nation State, in this case Iran, appearing to potential attempt to diversify their revenue streams through sales of stolen credentials.
Read more: https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/
Nearly A Million Printers At Risk Of Attack, Thousands Hacked To Prove It
Roughly 28,000 printers recently gave their owners an unexpected lesson in cybersecurity. Seemingly unprompted, the printers whirred to life and produced a 5-step guide to keeping hackers at bay.
“This printer has been hacked,” the message began ominously. Fortunately for the “victims” it was a group of ethical hackers behind the attack. A team of researchers from CyberNews was out to remind the public about the potential peril of connected devices.
To get the ball rolling, the team scoured the globe for printers that were vulnerable. They found more than 800,000 in total using a search engine called Shodan.
Shodan is a tool that’s leaned on by both security researchers and cyber criminals. In the past it’s been used to identify thousands of at-risk surveillance cameras, security alarm systems and hundreds of wind turbines and solar devices.
Why this matters:
Vulnerable devices within your networks can present a vulnerability to other devices on your network too and can be an easy point of entry for attackers.
Many firms do a good job of updating desktops and laptops when operating system updates come out, but too many firms neglect networking devices such as routers, modems and switches, and other devices on their networks such as printers.
Read more: https://www.forbes.com/sites/leemathews/2020/08/31/800000-printers-vulnerable-28000-hacked/#4b7c9b87d8a9
or: https://cybernews.com/security/we-hacked-28000-unsecured-printers-to-raise-awareness-of-printer-security-issues/
WhatsApp reveals six previously undisclosed vulnerabilities on new security site
Facebook -owned WhatsApp has revealed six previously undisclosed vulnerabilities, which the company has now fixed. The vulnerabilities are being reported on a dedicated security advisory website that will serve as the new resource providing a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE).
WhatsApp said five of the six vulnerabilities were fixed in the same day, while the remaining bug took a couple of days to remediate. Although some of the bugs could have been remotely triggered, the company said it found no evidence of hackers actively exploiting the vulnerabilities.
Why this matters:
WhatsApp is one of the world’s most popular apps, with more than two billion users around the world. But it’s also a persistent target for hackers, who try to find and exploit vulnerabilities in the platform. As with all software updates should be applied as soon as possible to ensure that fixes that remediate known vulnerabilities are fixed.
Read more: https://techcrunch.com/2020/09/03/whatsapp-security-flaws/
Attackers are trying to exploit a high-severity zero day in Cisco gear
Telecoms and data-centre operators take note: attackers are actively trying to exploit a high-severity zero day vulnerability in Cisco networking devices, the company warned over the weekend.
The security flaw resides in Cisco’s iOS XR Software, an operating system for carrier-grade routers and other networking devices used by telecommunications and data-centre providers. In an advisory published on Saturday, the networking-gear manufacturer said that a patch is not yet available and provided no timeline for when one would be released.
Why this matters:
Zero days do not yet have patches available although the vulnerability is publicly known and in some cases, as in this case, already being targeted by malicious actors.